Healthcare Data Security: Facts and Figures

In my last article, “Practical Data Security for Medical Professionals”, I discussed some of the most common ways that medical practices can deter others from gaining access to their networks and the highly valued PHI that they contain. In short, improving the strength of passwords and eliminating password sharing (still among the largest problems we see in the market), encrypting data, usernames and passwords, and requiring user authentication and third party vendor audits are just some of the steps that you can take to bolster your office’s data security and send the bad guys looking elsewhere.

Here I would like to bring to your attention some recently released statistics on data security breaches in healthcare that are intended to reinforce the importance of staff training and vigilance on the part of providers and practice administrators.

Healthcare Data Breaches, by the Numbers:

IBM Security and Ponemon Institute research indicates that the average cost of a data breach is $3.62 million globally. However, for the seventh year in a row, healthcare has topped the list as the most expensive industry for data breaches. “Healthcare data breaches cost organizations $380 per record, more than 2.5 times the global average across industries ($141 per record.)”

The 2017 Annual Data Breach Year-End Review published by the Identity Theft Resource Center® and CyberScout® reported that there were 1,579 data breaches in the U.S. in 2017, a 44.7% increase over 2016 and a new record high. Of those, 374 (23.7%) were in the medical/healthcare sector.

According to the 2017 Data Breach Investigations Report, a respected analysis of data security incidents (denial of service and website defacement) and global data breaches (incidents that involve the release of personally sensitive, protected and/or confidential data) compiled by Verizon and over sixty of its national and international partners:

There were over 450 data security incidents and nearly 300 data breaches (confirmed data disclosure) in the healthcare industry last year, representing 15% of total data breaches. Of those, 80% were the result of “privilege misuse” (unapproved or malicious use of company resources), miscellaneous error (unintentional actions that compromised and exposed sensitive data) and physical theft or loss of assets with sensitive data on them.

62% of breaches were the result of some form of hacking, and 80% of hacking-related breaches were accomplished with the help of stolen passwords or weak/easily guessable passwords.

51% of breaches used some form of malware, and 66% of that malware was installed using malicious email attachments.

The Importance of Information Security Professionals to your Practice

Perhaps most significantly, according to the Verizon report 19% of healthcare breaches in 2017 occurred with small healthcare practices, which often do not have the resources available or, more importantly, do not make the resources available to prepare for and defend against the most common types of hacking activities.

On this note, I would like to share an anecdotal observation about the gravity of the threat to medical practices today.

In our business we are often in contact with practices and their staff members that are seeking assistance with their clinical photography software, which in turn frequently means that we are asked for help with their computers. And while we do not formally track the data, I would estimate that less than 30-40% of these practices have engaged a qualified information technology and security professional to help them with their network configuration and security. Often this critically important task is handled by members of the staff or their relatives who are “very technical” and “good with computers”. If this sounds familiar to you, this is the time to begin thinking about getting some help reviewing your systems and training your staff in the importance of good security practices and security awareness.

Unfortunately, this is not a drill folks. This is the real thing. And I hope that you are taking it very seriously.

About The Author : Freddy is the CEO of Epitomyze Inc., a team of healthcare and medical imaging experts devoted to revolutionizing the role of clinical photography in medicine. Our premier service is Epitomyze Cloud™, a state-of-the-art cloud-based, digital-asset storage and management solution for image data. The service can be accessed through secure credentials from any device, and can be paired with our sophisticated Epitomyze Capture™ app. Email us at info@epitomyze.com or call us at (800) 774-7630

Freddy is passionate about the subject of digital imaging in medicine and the role that clinical photography can play in improving the quality of care for patients. Follow him on Twitter: @epitomyze.